Tag Info

What can be done to properly re-enable the Windows firewall on a domain?
Well, the short answer is that it's going to be a lot of work if you decide to forge ahead, and for the record, I'm not sure I would.
In the general case, client firewalls don't provide much security in a corporate network (which typically has hardware firewalls and controls this type ...

You already know what the best practice is; the MS-supported thing to do. You've already seen how disabling the service can lead to unpredictable behavior and that it breaks other functionality that's tangentially tied to the service. If you, as an administrator, don't have the power to stop the idiots from doing idiotic things, then escalate this to the ...

Edit: I would just like to state that there is nothing inherently wrong with Windows Firewall. It is a perfectly acceptable part of an overall defense-in-depth strategy. The fact of the matter is, most shops are too incompetent or too lazy to be bothered to figure out what firewall rules are needed for the applications that they run, and so they just force ...

What mfinni said, except that we forward three ports to a behind-the-firewall all-in-one Exchange box:
25: SMTP
80: HTTP (redirect to OWA HTTPS)
443: HTTPS
This works fine for people with Androids, iPhones, etc. Generally, people at home use OWA or their phone, anyway.
Edit: Since you asked for a Microsoft source, this is a link to a TechNet article ...

You're trying to set this rule in the RDP configuration page, you should be setting it in the firewall configuration page.
Basically, you need to click start, search for Windows Firewall and follow the screen shots that I've provided below. You'll be adding a Remote IP Allow rule to the pre-defined RDP-IN rule that should already be enabled.
Edit: Added ...

Part of the reason you're not seeing that advice as a potential fix is that isn't a fix, merely a work-around. By setting up an IP block that way you're limiting the scope to something similar to the scope presented by a VPN server that allows anyone with the right credentials to connect to it. It limits the scope of the vulnerability, but it doesn't ...

That looks mostly correct for a wide-open all-protocols implementation. Some suggestions:
Unless you have mail clients, with a business justification, that require all that, limit it to just 25, 80, 443. Don't allow POP access, that's a plaintext password. Don't allow client SMTP access, that's a plaintext password. (Of course, to accept mail from the ...

Nothing, in the appropriate circumstances. We do it for customers all the time.
The problem comes when you don't realise (or forget) that you've got IP address restrictions in place, and your last (or only) RDP-accessable IP address changes -- suddenly, you're locked out, and you can't fix it (because you're locked out).
We've solved the problem at work ...

The Windows firewall is just fine for most applications. As with running any server, start out with a default deny policy and open up only the ports that you need.
Perhaps the more important question is whether or not your application software is secure...

In Windows 2008R2 or later, locate each of the following keys in the registry:
HKLM\Software\Policies\Microsoft\WindowsFirewall\DomainProfile
HKLM\Software\Policies\Microsoft\WindowsFirewall\PrivateProfile
HKLM\Software\Policies\Microsoft\WindowsFirewall\PublicProfile
HKLM\Software\Policies\Microsoft\WindowsFirewall\StandardProfile
Add or edit the ...

I'd like to preface this by saying that I strongly urge anyone that disables their Windows firewall to take the time to understand how it works and how to manipulate it via GPO instead of outright turning it off. There's no reason to turn off a host-based firewall. Microsoft makes excellent tools to manage firewall rules, you should use them.
This TechNet ...

You absolutely should leave these on ...
Packet Too Big
Parameter Problem
Time Exceeded
You absolutely should leave these on if you are going do be doing any IPv6
IPv6
Multicast Listener Done, Query, Report and Report v2
Neighbor Discovery Advertisement and Solicitation
Router Advertisement
Router Solicitation
And I would disable these ...
IPHTTPS
...

There are 3 profiles available (domain/private/public). You can view which is "active" on the top node "Windows Firewall with Advanced Security" of the MMC. Please ensure the profile that is active is the one you enabled and configure the firewall logging for. You can configure the settings the same for all 3 profiles or have a unique configuration for each....

Errr, tidy up your GPOs, and disable it there. Or, at the very least, create a new GPO at the top of the stack (highest precedence) and disable the firewall. Then go back and tidy your other GPOs later. Local Security policy gets overridden by GPOs, and the first area of the registry you're writing to is specifically for GPO processing.
Short answer... ...

Working on Windows Server 2012 R2 Core, this worked for me:
Set-NetFirewallRule -DisplayGroup "File And Printer Sharing" -Enabled True
Here is how to check if it was succesful
Get-NetFirewallRule -DisplayGroup "File And Printer Sharing"
And find the value in "Enabled", it should be set to TRUE.
More info and arguments can be found here:
Set-...

The Windows Firewall is lean, mean, and does its job well. I doubt it would affect your throughput, and I'd trust it over any 3rd party software firewalls. ErikA is right in that you start with a default deny policy (preferably including outbound traffic also) to minimize your attack surface.
However, the benefits of a hardware firewall should be understood,...

If you can do remote registry, remote service console or psexec to the box you can shut down the windows firewall and / or update the rules to allow yourself back in. My preferred method is with psexec.
Assuming you can psexec the command should be:
psexec \\remotecomputername netsh firewall set service remoteadmin enable
psexec \\remotecomputername netsh ...

This sounds like an HTTP.SYS issue that you are having.
Below is an excerpt from Scott Hanselman's blog that describes how to expose IISExpress outside of localhost. The blog post is longer which also describes how to all wire up SSL. But I believe the commands that I have posted below which I pulled from his post will help you resolve the issue you are ...

You have a bunch of different things all going on in your question. I'll address them separately.
My Windows Server 2008 R2 server gets hammered tons of login attempts. I guess somebody is running a Brute Force attack.
As a general bit of advice: Don't guess. Know. Computer systems are exceedingly complex. A good system administrator should start by ...

As far as I'm aware, this is simply not possible within an Amazon VPC, as they use DHCP for all of their IP assignments within a VPC subnet, static IP addresses are assigned by using Elastic Network Interfaces, which work in the same way as a DHCP reservation. Amazon Support will be able to confirm this though, so I'd suggest you contact them.
Your next-...

Changing firewall rules will definitely affect open connections. Rules take effect immediately, and the firewall will prevent any more traffic going through closed ports.
These are older articles, but they have some basic information about the Windows Firewall:
Understanding Firewall Rules | Microsoft Docs
How Windows Firewall Works | Microsoft TechNet

What you need to do is:
Get the original rule by name
Get the address filter out of it
Get the new rule by name
Set the address filter in it
And yes, you can merge a lot of those into a one-liner, but for example I think this will do it:
$sourceRule = Get-NetFirewallRule -DisplayName "MSSQL"
$sourceIPs = $sourceRule | Get-NetFirewallAddressFilter
Set-...

It's not possible to disable the firewall notifications alone, but since Windows 10 build 1607 it has been possible to disable all Security and Maintenance Notifications using
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Notifications\Settings\
Windows.SystemToast.SecurityAndMaintenance\Enabled = 0 (DWORD)
Either add this registry key directly via Group ...

According to this answer you can't create an exception for an outgoing block rule.
So instead you will need to create multiple block rules for the executable, so as to cover the entire IP address range apart from those addresses you want to allow.
For example, if you wanted to only allow traffic to 100.100.1.33, you would create block rules for 1.1.1.1-100....